The Ribbon Finance protocol, formerly known as Aevo, lost $2,7 million, which was withdrawn from an old contract and transferred to fifteen separate wallets.
According to cybersecurity experts, the attack occurred just six days after the platform updated its oracle infrastructure and options creation procedures. The attackers used smart contract to obtain digital assets.
Web3 security analyst Liyi Zhou said the malicious contract manipulated the Opyn/Ribbon oracle stack by abusing proxy servers for price data and injecting arbitrary expiration prices for wstETH, AAVE, LINK, and WBTC into the public domain. oracle with an expiration time stamp.
The attacker opened large short positions on oToken in Ribbon Finance’s MarginPool, used these fake expiration prices in their settlement pipeline, and transferred hundreds of WETH and wstETH, thousands of USDC, and several WBTC to theft addresses via redeem and redeemTo transactions, Zhou explained.
Six days before the attack, the Ribbon Finance team updated the Oracle pricing system to support 18 decimal places for stETH, PAXG, LINK, and AAVE. However, other assets, including USDC, still had eight-digit precision. According to Zhou, this difference in decimal precision was the cause of the vulnerability.